Learning OSPF with one Juniper SRX100 (basic)

One of the beauties of Jumiper SRX is it has a heritage function from ScreenOS called “virtual router”. Unlike ScreenOS, Junos has the ability link virtual routers up with logical interfaces (lt-0/0/0). With these 2 features, Virtual routers could have their own route tables, could simulate several routers within a single box of SRX, and could run routing protocols between them. (I have tried with Cisco VRF, but it doesn’t work as expected.)

From the official specification from Juniper, SRX 100 should only support 3 virtual routers. The secret here is SRX 100 h2 version could create up to 11 virtual routers, and all of them can run flawlessly. (Juniper s not selling any non SRX100 h2 from a year ago. So a single SRX could do the OSPF, OSPF v3, IS-IS and limited BGP training lab already.)

Since my SRX is my internet gateway with NAT, it runs with flow mode. But the VRs will be run as stateless mode by applying packet filter to avoid any policy restrictions blocking the OSPF talks and asymmetric flows between VRs. (If any questions regarding to this configuration, feel free to let me know. )


This post will focus on OSPF with IPv4 only. The topology for OSPF lab is listed as below. (This test bed is being used for Internet access and for my BGP labs too.)
There will be 9 virtual routers and 3 VRs at the centre serve as backbone and ABR, other VRs will be connecting to the backbone VRs. (With enough creativity and skills, you could use this test bed to learn the characteristic and behaviors of different OSPF area types.)

OSPF_testbed

 


The OSPF lab for this time will be a simple flat layer with all routers placed in area 0. Putting everything in area 0 allows network administrators to handle their network easily without too much of the troubleshooting needs if the network does not have much of the changes frequently. However, it would not be a good practice if network is expending as all high and low end OSPF member routers require to consume have as much memories when they have to share the same size of route table amount each others.  (We will talk about that in another post.)


Configuration:

I will describe the configuration for VR-001 as the example. Other similar VR configuration will simply be pasted below.

VR-001 config:
set interfaces lo0 unit 1 family inet address 192.168.201.1/32
set interfaces lo0 unit 1 family inet filter input VR-R001_inet-filter
set interfaces lt-0/0/0 unit 9 encapsulation ethernet    // set this logical interface to emulate as a ethernet connection
set interfaces lt-0/0/0 unit 9 peer-unit 10     // tell this logical interface where is the other end. In this case, lt-0/0/0.10 is the other end.
set interfaces lt-0/0/0 unit 9 family inet filter input VR-R001_inet-filter     // apply firewall filter to route all incoming packets arrives to this interface without creating any sessions.
set interfaces lt-0/0/0 unit 9 family inet filter output VR-R001_inet-filter     // apply firewall filter to route all outgoing packets exist from this interface without creating any sessions.
set interfaces lt-0/0/0 unit 9 family inet address 192.168.200.9/30
set interfaces lt-0/0/0 unit 13 encapsulation ethernet
set interfaces lt-0/0/0 unit 13 peer-unit 14
set interfaces lt-0/0/0 unit 13 family inet filter input VR-R001_inet-filter
set interfaces lt-0/0/0 unit 13 family inet filter output VR-R001_inet-filter
set interfaces lt-0/0/0 unit 13 family inet address 192.168.200.13/30
set interfaces lt-0/0/0 unit 38 encapsulation ethernet
set interfaces lt-0/0/0 unit 38 peer-unit 37
set interfaces lt-0/0/0 unit 38 family inet filter input VR-R001_inet-filter
set interfaces lt-0/0/0 unit 38 family inet filter output VR-R001_inet-filter
set interfaces lt-0/0/0 unit 38 family inet address 192.168.200.38/30
set interfaces lt-0/0/0 unit 42 encapsulation ethernet
set interfaces lt-0/0/0 unit 42 peer-unit 41
set interfaces lt-0/0/0 unit 42 family inet filter input VR-R001_inet-filter
set interfaces lt-0/0/0 unit 42 family inet filter output VR-R001_inet-filter
set interfaces lt-0/0/0 unit 42 family inet address 192.168.200.42/30
set firewall family inet filter VR-R001_inet-filter interface-specific
set firewall family inet filter VR-R001_inet-filter term 99-packet_traffic then packet-mode     //make all packets that hit this filter to route with stateless mode.
set routing-instances VR-001 instance-type virtual-router      // VR-001 is the name of the routing instance and we set this type of instance as a virtual router.
set routing-instances VR-001 interface lt-0/0/0.9       //assign an interface to this routing instance by putting the interface name under the routing instance. Unlike logical system, IP address will not be assigned under routing instance.
set routing-instances VR-001 interface lt-0/0/0.13
set routing-instances VR-001 interface lt-0/0/0.38
set routing-instances VR-001 interface lt-0/0/0.42
set routing-instances VR-001 interface lo0.1     //assign a loopback interface to this routing instance
set routing-instances VR-001 routing-options router-id 192.168.201.1       // assign a router-id to this routing instance to avoid OSPF ip address auto selection.
set routing-instances VR-001 routing-options autonomous-system 65530      // this testbed is assigned to a private AS of 65530, it is not required for OSPF lab, but i m using this testbed for BGP as well.
set routing-instances VR-001 protocols ospf area 0.0.0.0 interface lt-0/0/0.9 interface-type p2p     // Putting the VR-001 into the OSPF area 0 and assign the interface to form adjacency. The p2p is to reduce the over head of DR election.
set routing-instances VR-001 protocols ospf area 0.0.0.0 interface lt-0/0/0.13 interface-type p2p
set routing-instances VR-001 protocols ospf area 0.0.0.0 interface lo0.1 passive   //putting the loopback interface into passive because loopback does not have any adjacency.
set routing-instances VR-001 protocols ospf area 0.0.0.0 interface lt-0/0/0.38 interface-type p2p
set routing-instances VR-001 protocols ospf area 0.0.0.0 interface lt-0/0/0.42 interface-type p2p
set security zones security-zone VR-001-untrust host-inbound-traffic system-services all   //host inbound are set to allow all as i dont want to have any troubleshoot for the labbed.
set security zones security-zone VR-001-untrust host-inbound-traffic protocols all
set security zones security-zone VR-001-untrust interfaces lt-0/0/0.38     // assign the interfaces to this security zone of VR-001-untrust since i will sometimes switch back and fore from packet mode and flow mode.
set security zones security-zone VR-001-untrust interfaces lt-0/0/0.42
set security zones security-zone VR-001-untrust interfaces lt-0/0/0.13
set security zones security-zone VR-001-untrust interfaces lt-0/0/0.9
set security zones security-zone VR-001-untrust interfaces lo0.1

 

VR-002 config:
set interfaces lt-0/0/0 unit 10 encapsulation ethernet
set interfaces lt-0/0/0 unit 10 peer-unit 9
set interfaces lt-0/0/0 unit 10 family inet filter input VR-R002_inet-filter
set interfaces lt-0/0/0 unit 10 family inet filter output VR-R002_inet-filter
set interfaces lt-0/0/0 unit 10 family inet address 192.168.200.10/30
set interfaces lt-0/0/0 unit 17 encapsulation ethernet
set interfaces lt-0/0/0 unit 17 peer-unit 18
set interfaces lt-0/0/0 unit 17 family inet filter input VR-R002_inet-filter
set interfaces lt-0/0/0 unit 17 family inet filter output VR-R002_inet-filter
set interfaces lt-0/0/0 unit 17 family inet address 192.168.200.17/30
set interfaces lt-0/0/0 unit 29 encapsulation ethernet
set interfaces lt-0/0/0 unit 29 peer-unit 30
set interfaces lt-0/0/0 unit 29 family inet filter input VR-R002_inet-filter
set interfaces lt-0/0/0 unit 29 family inet filter output VR-R002_inet-filter
set interfaces lt-0/0/0 unit 29 family inet address 192.168.200.29/30
set interfaces lt-0/0/0 unit 34 encapsulation ethernet
set interfaces lt-0/0/0 unit 34 peer-unit 33
set interfaces lt-0/0/0 unit 34 family inet filter input VR-R002_inet-filter
set interfaces lt-0/0/0 unit 34 family inet filter output VR-R002_inet-filter
set interfaces lt-0/0/0 unit 34 family inet address 192.168.200.34/30
set interfaces lo0 unit 2 family inet filter input VR-R002_inet-filter
set interfaces lo0 unit 2 family inet filter output VR-R002_inet-filter
set interfaces lo0 unit 2 family inet address 192.168.201.2/32
set firewall family inet filter VR-R002_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-002 instance-type virtual-router
set routing-instances VR-002 interface lt-0/0/0.10
set routing-instances VR-002 interface lt-0/0/0.17
set routing-instances VR-002 interface lt-0/0/0.29
set routing-instances VR-002 interface lt-0/0/0.34
set routing-instances VR-002 interface lo0.2
set routing-instances VR-002 routing-options router-id 192.168.201.2
set routing-instances VR-002 routing-options autonomous-system 65530
set routing-instances VR-002 protocols ospf area 0.0.0.0 interface lo0.2 passive
set routing-instances VR-002 protocols ospf area 0.0.0.0 interface lt-0/0/0.10 interface-type p2p
set routing-instances VR-002 protocols ospf area 0.0.0.0 interface lt-0/0/0.17 interface-type p2p
set routing-instances VR-002 protocols ospf area 0.0.0.0 interface lt-0/0/0.29 interface-type p2p
set routing-instances VR-002 protocols ospf area 0.0.0.0 interface lt-0/0/0.34 interface-type p2p
set security zones security-zone VR-002-untrust host-inbound-traffic system-services all
set security zones security-zone VR-002-untrust host-inbound-traffic protocols all
set security zones security-zone VR-002-untrust interfaces lt-0/0/0.10
set security zones security-zone VR-002-untrust interfaces lt-0/0/0.17
set security zones security-zone VR-002-untrust interfaces lt-0/0/0.29
set security zones security-zone VR-002-untrust interfaces lt-0/0/0.34
set security zones security-zone VR-002-untrust interfaces lo0.2

 

VR-003 config:
set interfaces lt-0/0/0 unit 14 encapsulation ethernet
set interfaces lt-0/0/0 unit 14 peer-unit 13
set interfaces lt-0/0/0 unit 14 family inet filter input VR-R003_inet-filter
set interfaces lt-0/0/0 unit 14 family inet filter output VR-R003_inet-filter
set interfaces lt-0/0/0 unit 14 family inet address 192.168.200.14/30
set interfaces lt-0/0/0 unit 18 encapsulation ethernet
set interfaces lt-0/0/0 unit 18 peer-unit 17
set interfaces lt-0/0/0 unit 18 family inet filter input VR-R003_inet-filter
set interfaces lt-0/0/0 unit 18 family inet filter output VR-R003_inet-filter
set interfaces lt-0/0/0 unit 18 family inet address 192.168.200.18/30
set interfaces lt-0/0/0 unit 21 encapsulation ethernet
set interfaces lt-0/0/0 unit 21 peer-unit 22
set interfaces lt-0/0/0 unit 21 family inet filter input VR-R003_inet-filter
set interfaces lt-0/0/0 unit 21 family inet filter output VR-R003_inet-filter
set interfaces lt-0/0/0 unit 21 family inet address 192.168.200.21/30
set interfaces lt-0/0/0 unit 25 encapsulation ethernet
set interfaces lt-0/0/0 unit 25 peer-unit 26
set interfaces lt-0/0/0 unit 25 family inet filter input VR-R003_inet-filter
set interfaces lt-0/0/0 unit 25 family inet filter output VR-R003_inet-filter
set interfaces lt-0/0/0 unit 25 family inet address 192.168.200.25/30
set interfaces lo0 unit 3 family inet filter input VR-R003_inet-filter
set interfaces lo0 unit 3 family inet address 192.168.201.3/32
set firewall family inet filter VR-R003_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-003 instance-type virtual-router
set routing-instances VR-003 interface lt-0/0/0.14
set routing-instances VR-003 interface lt-0/0/0.18
set routing-instances VR-003 interface lt-0/0/0.21
set routing-instances VR-003 interface lt-0/0/0.25
set routing-instances VR-003 interface lo0.3
set routing-instances VR-003 routing-options router-id 192.168.201.3
set routing-instances VR-003 routing-options autonomous-system 65530
set routing-instances VR-003 protocols ospf area 0.0.0.0 interface lo0.3 passive
set routing-instances VR-003 protocols ospf area 0.0.0.0 interface lt-0/0/0.14 interface-type p2p
set routing-instances VR-003 protocols ospf area 0.0.0.0 interface lt-0/0/0.18 interface-type p2p
set routing-instances VR-003 protocols ospf area 0.0.0.0 interface lt-0/0/0.21 interface-type p2p
set routing-instances VR-003 protocols ospf area 0.0.0.0 interface lt-0/0/0.25 interface-type p2p
set security zones security-zone VR-003-untrust host-inbound-traffic system-services all
set security zones security-zone VR-003-untrust host-inbound-traffic protocols all
set security zones security-zone VR-003-untrust interfaces lt-0/0/0.14
set security zones security-zone VR-003-untrust interfaces lt-0/0/0.18
set security zones security-zone VR-003-untrust interfaces lt-0/0/0.25
set security zones security-zone VR-003-untrust interfaces lt-0/0/0.21
set security zones security-zone VR-003-untrust interfaces lo0.3
set security zones security-zone VR-003-untrust interfaces lt-0/0/0.48

 

VR-011 config:
set interfaces lt-0/0/0 unit 37 encapsulation ethernet
set interfaces lt-0/0/0 unit 37 peer-unit 38
set interfaces lt-0/0/0 unit 37 family inet filter input VR-R011_inet-filter
set interfaces lt-0/0/0 unit 37 family inet filter output VR-R011_inet-filter
set interfaces lt-0/0/0 unit 37 family inet address 192.168.200.37/30
set interfaces lo0 unit 11 family inet filter input VR-R011_inet-filter
set interfaces lo0 unit 11 family inet filter output VR-R011_inet-filter
set interfaces lo0 unit 11 family inet address 192.168.201.11/32
set firewall family inet filter VR-R011_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-011 instance-type virtual-router
set routing-instances VR-011 interface lt-0/0/0.37
set routing-instances VR-011 interface lo0.11
set routing-instances VR-011 routing-options router-id 192.168.201.11
set routing-instances VR-011 protocols ospf area 0.0.0.0 interface lt-0/0/0.37 interface-type p2p
set routing-instances VR-011 protocols ospf area 0.0.0.0 interface lo0.11 passive
set security zones security-zone VR-011-untrust host-inbound-traffic system-services all
set security zones security-zone VR-011-untrust host-inbound-traffic protocols all
set security zones security-zone VR-011-untrust interfaces lt-0/0/0.37
set security zones security-zone VR-011-untrust interfaces lo0.11

 

VR-012 config:
set interfaces lo0 unit 12 family inet filter input VR-R012_inet-filter
set interfaces lo0 unit 12 family inet filter output VR-R012_inet-filter
set interfaces lo0 unit 12 family inet address 192.168.201.12/32
set interfaces lt-0/0/0 unit 41 encapsulation ethernet
set interfaces lt-0/0/0 unit 41 peer-unit 42
set interfaces lt-0/0/0 unit 41 family inet filter input VR-R012_inet-filter
set interfaces lt-0/0/0 unit 41 family inet filter output VR-R012_inet-filter
set interfaces lt-0/0/0 unit 41 family inet address 192.168.200.41/30
set firewall family inet filter VR-R012_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-012 instance-type virtual-router
set routing-instances VR-012 interface lt-0/0/0.41
set routing-instances VR-012 interface lo0.12
set routing-instances VR-012 routing-options router-id 192.168.201.12
set routing-instances VR-012 protocols ospf area 0.0.0.0 interface lt-0/0/0.41 interface-type p2p
set routing-instances VR-012 protocols ospf area 0.0.0.0 interface lo0.12 passive
set security zones security-zone VR-012-untrust host-inbound-traffic system-services all
set security zones security-zone VR-012-untrust host-inbound-traffic protocols all
set security zones security-zone VR-012-untrust interfaces lt-0/0/0.41
set security zones security-zone VR-012-untrust interfaces lo0.12

 

VR-021 config:
set interfaces lo0 unit 21 family inet filter output VR-R021_inet-filter
set interfaces lo0 unit 21 family inet address 192.168.201.21/32
set interfaces lt-0/0/0 unit 41 encapsulation ethernet
set interfaces lt-0/0/0 unit 41 peer-unit 42
set interfaces lt-0/0/0 unit 41 family inet filter input VR-R012_inet-filter
set interfaces lt-0/0/0 unit 41 family inet filter output VR-R012_inet-filter
set interfaces lt-0/0/0 unit 41 family inet address 192.168.200.41/30
set firewall family inet filter VR-R021_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-021 instance-type virtual-router
set routing-instances VR-021 interface lt-0/0/0.30
set routing-instances VR-021 interface lo0.21
set routing-instances VR-021 routing-options router-id 192.168.201.21
set routing-instances VR-021 protocols ospf area 0.0.0.0 interface lo0.21 passive
set routing-instances VR-021 protocols ospf area 0.0.0.0 interface lt-0/0/0.30 interface-type p2p
set security zones security-zone VR-021-untrust host-inbound-traffic system-services all
set security zones security-zone VR-021-untrust host-inbound-traffic protocols all
set security zones security-zone VR-021-untrust interfaces lo0.21
set security zones security-zone VR-021-untrust interfaces lt-0/0/0.30

 

VR-022 config:
set interfaces lo0 unit 22 family inet filter input VR-R022_inet-filter
set interfaces lo0 unit 22 family inet filter output VR-R022_inet-filter
set interfaces lo0 unit 22 family inet address 192.168.201.22/32
set interfaces lt-0/0/0 unit 33 encapsulation ethernet
set interfaces lt-0/0/0 unit 33 peer-unit 34
set interfaces lt-0/0/0 unit 33 family inet filter input VR-R022_inet-filter
set interfaces lt-0/0/0 unit 33 family inet filter output VR-R022_inet-filter
set interfaces lt-0/0/0 unit 33 family inet address 192.168.200.33/30
set firewall family inet filter VR-R022_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-022 instance-type virtual-router
set routing-instances VR-022 interface lt-0/0/0.33
set routing-instances VR-022 interface lo0.22
set routing-instances VR-022 routing-options router-id 192.168.201.22
set routing-instances VR-022 protocols ospf area 0.0.0.0 interface lo0.22 passive
set routing-instances VR-022 protocols ospf area 0.0.0.0 interface lt-0/0/0.33 interface-type p2p
set security zones security-zone VR-022-untrust host-inbound-traffic system-services all
set security zones security-zone VR-022-untrust host-inbound-traffic protocols all
set security zones security-zone VR-022-untrust interfaces lt-0/0/0.33
set security zones security-zone VR-022-untrust interfaces lo0.22

 

VR-031 config:
set interfaces lo0 unit 31 family inet filter input VR-R031_inet-filter
set interfaces lo0 unit 31 family inet filter output VR-R031_inet-filter
set interfaces lo0 unit 31 family inet address 192.168.201.31/32
set interfaces lt-0/0/0 unit 26 encapsulation ethernet
set interfaces lt-0/0/0 unit 26 peer-unit 25
set interfaces lt-0/0/0 unit 26 family inet filter input VR-R031_inet-filter
set interfaces lt-0/0/0 unit 26 family inet filter output VR-R031_inet-filter
set interfaces lt-0/0/0 unit 26 family inet address 192.168.200.26/30
set firewall family inet filter VR-R031_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-031 instance-type virtual-router
set routing-instances VR-031 interface lt-0/0/0.26
set routing-instances VR-031 interface lo0.31
set routing-instances VR-031 routing-options router-id 192.168.201.31
set routing-instances VR-031 protocols ospf area 0.0.0.0 interface lo0.31 passive
set routing-instances VR-031 protocols ospf area 0.0.0.0 interface lt-0/0/0.26 interface-type p2p
set security zones security-zone VR-031-untrust host-inbound-traffic system-services all
set security zones security-zone VR-031-untrust host-inbound-traffic protocols all
set security zones security-zone VR-031-untrust interfaces lt-0/0/0.26
set security zones security-zone VR-031-untrust interfaces lo0.31

 

VR-032 config:
set interfaces lo0 unit 32 family inet filter input VR-R032_inet-filter
set interfaces lo0 unit 32 family inet filter output VR-R032_inet-filter
set interfaces lo0 unit 32 family inet address 192.168.201.32/32
set interfaces lt-0/0/0 unit 22 encapsulation ethernet
set interfaces lt-0/0/0 unit 22 peer-unit 21
set interfaces lt-0/0/0 unit 22 family inet filter input VR-R032_inet-filter
set interfaces lt-0/0/0 unit 22 family inet filter output VR-R032_inet-filter
set interfaces lt-0/0/0 unit 22 family inet address 192.168.200.22/30
set firewall family inet filter VR-R032_inet-filter term 99-packet_traffic then packet-mode
set routing-instances VR-032 instance-type virtual-router
set routing-instances VR-032 interface lt-0/0/0.22
set routing-instances VR-032 interface lo0.32
set routing-instances VR-032 routing-options router-id 192.168.201.32
set routing-instances VR-032 protocols ospf area 0.0.0.0 interface lt-0/0/0.22 interface-type p2p
set routing-instances VR-032 protocols ospf area 0.0.0.0 interface lo0.32 passive
set security zones security-zone VR-032-untrust host-inbound-traffic system-services all
set security zones security-zone VR-032-untrust host-inbound-traffic protocols all
set security zones security-zone VR-032-untrust interfaces lo0.32
set security zones security-zone VR-032-untrust interfaces lt-0/0/0.22

A trimmed OSPF datebase report from VR-001. It shows all of the virtual routers are in the OSPF area 0.

[edit]
awong@SRX100# run show ospf database instance VR-001
OSPF database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
 Router  *192.168.201.1    192.168.201.1    0x80000004   320  0x22 0x6f9f 180
 Router   192.168.201.2    192.168.201.2    0x80000004   321  0x22 0xec0f 180
 Router   192.168.201.3    192.168.201.3    0x80000004   320  0x22 0xd018 180
 Summary *192.168.201.11   192.168.201.1    0x80000001   315  0x22 0x3198  28
 Summary *192.168.201.12   192.168.201.1    0x80000001   315  0x22 0x27a1  28
 Summary  192.168.201.21   192.168.201.2    0x80000001   320  0x22 0xc6f7  28
 Summary  192.168.201.22   192.168.201.2    0x80000001   320  0x22 0xbc01  28
 Summary  192.168.201.31   192.168.201.3    0x80000001   316  0x22 0x5c57  28
 Summary  192.168.201.32   192.168.201.3    0x80000001   320  0x22 0x5260  28

[edit]


Summary:

The configuration above (in my case) should have enough virtual routers to create a test bed for OSPF. Later on there will be some more post about putting VRs into different types of ospf area, such as stub, NSSA, and totally stub at the test bed.
Hope this post could give out an idea to those who is low on budget of setting up a home lab for learning, regardless of using VM. Please share it out if you like this post.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s